Trojan:MacOS/Amos.AO!MTB - Windows Defender Threat Analysis

This is a macOS Trojan (Amos family) detected with high confidence via concrete signatures and behavioral analysis. It specifically targets and steals cryptocurrency wallet data from applications like Wasabi, Exodus, Atomic, and Guarda, posing a critical financial threat.

No specific strings found for this threat

rule Trojan_MacOS_Amos_AO_2147919063_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Trojan:MacOS/Amos.AO!MTB"
        threat_id = "2147919063"
        type = "Trojan"
        platform = "MacOS: "
        family = "Amos"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_MACHOHSTR_EXT"
        threshold = "11"
        strings_accuracy = "Low"
    strings:
        $x_5_1 = "walletwasabi/client/Wallets/" ascii //weight: 5
        $x_5_2 = "Exodus/exodus.wallet/" ascii //weight: 5
        $x_1_3 = "atomic/Local Stveldb/" ascii //weight: 1
        $x_1_4 = "Guarda/Local Storage/leveldb/" ascii //weight: 1
        $x_1_5 = {ff 43 01 d1 fd 7b 04 a9 fd 03 01 91 a0 83 1f f8 a8 83 5f f8 e8 07 00 f9 e0 83 00 91 e0 03 00 f9 61 00 00 f0 21 f8 06 91 6a ?? ?? ?? e1 03 40 f9 e2 07 40 f9 e0 03 02 aa}  //weight: 1, accuracy: Low
    condition:
        (filesize < 20MB) and
        (
            ((2 of ($x_5_*) and 1 of ($x_1_*))) or
            (all of ($x*))
        )
}

Immediately isolate the compromised macOS device to prevent further data exfiltration. Perform a full system scan with updated antivirus software to remove the threat, then promptly change all cryptocurrency wallet passwords and transfer funds to a secure, uncompromised wallet or cold storage. Monitor financial accounts for unauthorized transactions and reinforce security awareness regarding phishing and suspicious downloads.